Adobe’s Roy Fielding patches Apache to ignore IE10 Do Not Track privacy request

Adobe’s Roy Fielding, who is also the original author of the W3C’s Tracking Preference Expression draft, has patched Apache, the open source web server, to ignore the Do Not Track header sent by Microsoft’s Internet Explorer 10, the browser in Windows 8:

image

Under the heading “Apache does not tolerate deliberate abuse of open standards,” Fielding’s patch sets Apache to remove the Do Not Track request header if IE10 is the web browser.

Fielding’s argument, one presumes, is that IE10 breaches clause three in the Tracking Preference Expression draft:

Key to that notion of expression is that it must reflect the user’s preference, not the choice of some vendor, institution, or network-imposed mechanism outside the user’s control. The basic principle is that a tracking preference expression is only transmitted when it reflects a deliberate choice by the user. In the absence of user choice, there is no tracking preference expressed.

However the document goes on to say (highlighting is mine):

We do not specify how tracking preference choices are offered to the user or how the preference is enabled: each implementation is responsible for determining the user experience by which a tracking preference is enabled. For example, a user might select a check-box in their user agent’s configuration, install an extension or add-on that is specifically designed to add a tracking preference expression, or make a choice for privacy that then implicitly includes a tracking preference (e.g., Privacy settings: high). The user-agent might ask the user for their preference during startup, perhaps on first use or after an update adds the tracking protection feature. Likewise, a user might install or configure a proxy to add the expression to their own outgoing requests.

Here is what happens in Windows 8 after startup. This is among the first screens you see when installing Windows 8, before you get full access to the operating system:

image

One of the settings specified is “Turn on Do Not Track in Internet Explorer. If you click Learn more about express settings you get this:

image

If you click Customize you get this:

image

Does this respect the user’s preference? It seems to me a reasonable effort. The only objection I can see is if you consider that any user agent that defaults to setting Do Not Track on cannot be respecting the user’s preference. The draft specification does not state what the default should be.

It is also worth noting that clause 3 in the Tracking Preference Expression draft has changed; the wording about “not the choice of some vendor” was inserted in the 7th September draft, after Windows 8 was released to manufacturing. Here it is in the latest (March 2012) W3C Working draft:

Key to that notion of expression is that it must reflect the user’s preference, not the preference of some institutional or network-imposed mechanism…

Even if you agree with Fielding’s views on browser defaults, quietly patching the world’s most used web server to ignore the IE10 setting looks hard to defend, especially on a matter that is far from clear cut. Fielding is personally involved, not only as the author of the Tracking Preference Expression document, but also as an employee of Adobe, which specialises in digital marketing and may be more aligned with the vendors and their brands which may want to track user activity wherever their ads appear, rather than with end users.

Of course Apache is an open source project and Fielding’s patch has attracted the attention of the Apache community and may not survive.

It is also possible that a future draft of the Tracking Preference Expression document will state that Do Not Track must be off by default; but even if it does, patching the web server to ignore the browser’s header strikes me as a contentious solution.

Finally, it is worth noting that sending the Do Not Track header has little effect on whether or not your activity is tracked, since its meaning is unclear and respecting its value is a a choice made by third-parties, so this is a debate with little practical impact for the time being.

32 thoughts on “Adobe’s Roy Fielding patches Apache to ignore IE10 Do Not Track privacy request”

  1. If it’s included in the “Express” setting than that will be what most users will choose. It’s facetious to think most users actually read and agree with all the install notes. Most will always choose the path of least resistance regardless of what the default options are – for most users it means the vendor makes the decision, clearly an abuse of the intent of DNT.

    The standard quite clearly states that it must be the result of an *explicit* user choice, not that of the browser vendor or a mega corp pushing their own Agendas.
    By being in the “Express setting” than it has become the OS providers choice, not the users – if there was a stand-alone screen with that as the only question with no default option selected, than that would classify as a user choice – it’s not, so IE 10 is ignored and dilutes the meaning for everyone else.

    1. @David these settings are particularly bold and hard to miss. Personally I always hit Customize. But even if you disagree with IE10’s implementation, patching Apache as a workaround seems quite wrong to me.

      Tim

  2. It doesn’t matter what your individual behaviour is – An explicit choice is never made when its bundled as part of the Default settings.
    For various reasons (i.e. being the easiest option) regardless of what the default options are, most users will go with the defaults, at which point the browser vendor is makeing the decision which is in clear violation of the spec. It also states DNT can be ignored if violated which is ironically what the change to the Apache *default* conf settings is doing (these are overridable by any admin).

    Hopefully this commit enacts change from Microsoft to change their policy before the meaning behind DNT is damaged and ignored.

    1. @David but this is not just an argument about whether this is or is not an explicit choice. Patching Apache denies use of DNT to all IE10 users regardless of the choices they have made. Hard to defend.

  3. “Before DNT is damaged and ignored?” Too late for that.

    There is no reason — except money — why the default should be to track the user. Frankly, I’m surprised that the EU, with its privacy protections written into law, has not required that DNT be on by default, *AND* respected even if set as a default, under penalty of heavy fines.

    The comments in GitHub are quite amusing.

  4. I tend to feel Microsoft has done everyone a service by exposing how undefined DNT is. As you cannot get the default settings for your windows 8 without explicitly choosing to accept the defaults – it sits there until you choose either express or customize – it is an explicit choice. Forcing people to make a choice in only the manner you approve of? That’s pretty disrespectful.

  5. @David you confuse me to the point that I am wondering if you have actually read the spec.

    Two call-outs

    “access, the expectation will be that their chosen user agent and personal preferences regarding Web site behavior will not be altered by the network environment, aside from blanket limitations on what sites can or cannot be accessed through that network”

    ” HTTP intermediary must not add, delete, or modify the DNT header field in requests forwarded through that intermediary unless that intermediary has been specifically installed or configured to do so by the user making the requests”

    That includes the webserver


    For example, a user might select a check-box in their user agent’s configuration, install a plug-in or extension that is specifically designed to add a tracking preference expression, or make a choice for privacy that then implicitly includes a tracking preference (e.g., “Privacy settings: high”

    A wizard like setup experience as in Windows 8 must constitute as a valid way to gather a user’s choice. Arguably the default setting to not track is also what an ignorant user might want, but the user might explicitly click next. Further more, the spec concludes

    “Although some controlled network environments, such as public access terminals or managed corporate intranets, might impose restrictions on the use or configuration of installed user agents, such that a user might only have access to user agents with a predetermined preference enabled, the user is at least able to choose whether to make use of those user agents”

    Apache could also have used the HTTP response to tell the user-agent that it won’t honor the request. Instead this patch just out right removes the header, which according to the spec is a violation.

    At the end if the day, the spec is not clear, no matter what the intentions were. To submit such a patch because you feel it violates your intention is non-productive. If something violates the spec, then prove it does, if not, change the spec so it aligns with your intent and word it properly.

    This, however, is not about the spec, it is about Microsoft spotlighting something that may, in the end, hurt Google like businesses, if public awareness of tracking is raised. As such Adobe, and Google (whom does not implement DNT in Chrome) naturally does not like that.

    Either way the DNT standard is just bogus, and it is quite obvious as Tom said, that laws will be needed to protect users rights. (if it actually is a right not to be tracked on the internet, you could choose not to go there).

  6. I should probably add, something I forgot to mention, to Roy’s defense, he is actually trying to protect the DNT standard, by making sure the implications of DNT=1 won’t kill the movement, as arguably very few in the industry would gather behind a opt-in to tracking world, in that light it is a different story.

    But again, violating your own spec by changing a web server is just not the right way.

  7. A phrase in my country translates to something like “you could have waited for this” [to happen].
    Whenever you implement a privacy standard in the computer world, every commercial party should be treated as hostile. If it is possible for anyone to sell your ID for cash, they will. The only thing that works is for the browser not to send any identifiable data at all, and not to provide it to toolbars, addins, whatever ..

  8. Microsoft is cheating by setting ‘Do not Track’ for all websites then adding an exception just for Microsoft ‘Help improve Microsoft software, services, and location services by sending us info.’

    What are ‘location services’ if not tracking?

  9. SnijtraM says it all and it does not have to include a computer in the actual transaction, if a company can make money from you or your data it will (store loyalty cards anyone) and it won’t think once, let alone twice, about it.

  10. I think microsofts DNT is a great idea. I use it and only turn it off if it’s stopping me from viewing something i’m interested in. Perhaps enabling it by default is questionable but to patch Apache into ignoring this request is very short sighted. Some people have enabled it “by themselves” and do not wish to be tracked. Taking away user choice is usually the wrong direction to go.

    I think Roy Fielding should perhaps focus on patching Adobe products- after last months patch tuesday Adobe reader still had 16 windows, mac OSX and 31 linux vulnerabilities.

  11. Wouldn’t it be time that organizations disregarding web surfers’ wishes not to be tracked be heavily punished, one way or another? We could for instance publish the names of companies who disregard such wishes as well as the customers of such companies, so we could refrain from buying from these companies and invite our friends to do so as well.

  12. I’m missing something here… Whether it is activated or not by default, there IS a default choice that does not necessary reflects user choice. So it’s ok if default is “Track me”, but not if it is the opposite ? There is something clearly wrong here.

  13. Fielding’s decision is not shiny. Defaulting to not track is the optimum for the user. The browser setup clearly enables the user to choose otherwise.

    We tend to think of this as developers who understand and control all aspects of our interactions with deliberation. Consider a household where several members of different age groups are installing browsers for a common LAN. As the head of a household, I like Microsof’s design choice. It is commercially sound.

    Microsoft chose wisely. Fielding is dancing on the head of a pin.

  14. Whatever happened to the concept of being secure by default? Why should the default be to allow Google to track my every move on the web? Wasn’t it just that type of privacy concern that got Facebook fined by the EU?

  15. That’s great! Microsoft may be in a gray area by having the default for DNT be turned ON, so Fielding has DEFINITELY gone way past that into the abuse he’s accusing Microsoft of by deliberately ignoring what could be a user’s intentional preference. If a user clicks customize in Windows 8 and decides they want DNT on, Apache will now ignore that header and tell any websites running on it to track away!

    I don’t use IE anymore myself, except for testing my sites’ compatibility in all the major browsers, so this doesn’t really affect me directly, but I still find it very irritating that someone would take the law into their own hands, so to speak, and end up breaking the very law they’re trying to enforce.

  16. @Undu The interpretation that people like Fielding is are making is that the default is not “do not track me” or “track me”, but “I don’t really care”. The practical implications of this interpretation are like you say, the default is “track me if you want to because I don’t care”. They are essentially playing it safe for the corps, taking advantage of the power of defaults.

  17. Microsoft’s stated policy is that the default settings should protect the user’s privacy, and that any access to the user’s data must be opt-in, because of widespread abuse by charter members of the html5 working group, both now and in previous incarnations. The default setting respects long established user preference. For example, search for yahoo webbug, which is identical to “analytics” services today. Doesn’t look like any users supported yahoo tracking in this same way. Google and friends want the setting off by default because they assume ignorant users will not know how to turn it on, and so they can continue rapeing users, since they have no way to identify it is happening. Imo, this tracking should only ever be opt-in, at a site level, and after user consent has been directly obtained, regardless of the header. Any company doing otherwise is unethical. Users should have access to the data also.

    Particularly true for the google Cdn for example, since sites using it have not obtained user consent to track.

    There are very few users who would be surprised at this being the default setting.

    Seriously, it needs to be the default, and the Adobe objection to it simply underscores that and renders it indisputable.

  18. Out of curiosity, could an Internet Explorer 10 user set their DNT setting to True in a way that Adobe-patched-Apache would respect it? Or does this patch basically cancel DNT for a specific browser?

    Is there a positive outcome from this other than Microsoft suing Adobe?

    1. With that patch in place, my understanding is that IE10 users would be prevented from ever sending DNT.

      Tim

  19. The idea that the consumer has no right to even request not to be tracked in insanity!!! IF apache allows this to become part of their server, means it is just another corporate lackey, marching in step with those who see you as money to be made. I personally, I would never host a website on a server that disregards a visitors right not to be tracked. All of my sites and those I maintain are on MS servers, and with this, I don’t see that changing any time soon. I had nothing against Apache, but this would change that. I’m sure if Roy worked at Facebook it would be front page news, but anyone working for a company who profits from this type of data colection is clearly a conflict of interest.

  20. WOW!!!

    I mean really, WOW!!!

    How is it that so many people, including the author who supposedly have understanding and knowledge in Computer Science have failed to utilize the proper terminology in regards to this issue.


    This is not a PATCH, It is a CRACK!!!

    A PATCH fixes a bug and corrects poor functionality of a program. On the other hand, a CRACK, is the implementation of a bug or functionality that breaks the normal proper functioning of the program.

    Now for all you unscrupulous people who think that this is a gray area, you just declared that it is OK for wall street to create the next great economic downturn; steal peoples homes, raid their retirement accounts, drain your savings account and starve you to death by virtue of the fact that you have just declared it evil to by default. protect people from dishonest and corrupt individuals whose sole purpose in life is to rob you of your rights and liberties.

    The only people who lack the right to go about their daily activities without being tracked are: Suspected criminals (and a warrant must be issued for the tracking to begin), convicted criminals on parole and slaves (slavery being illegal in the United States)which as we all know

    Therefore, I can only infer that those who argue that it is wrong to set do not track on by default are in one of three camps. Those who are slaves, those who think it OK to own slaves and those who think that they have legal ownership of all the people and that they are their legal slaves.

    Either way, it is certainly UN-American to demand that people be made defenseless by default.

    If one considers that the 2nd Amendment which protects our right to bare arms, applies to not being tracked on the internet. When people violate your privacy, you are left defenseless a clear violation of the 2nd Amendment.

    I don’t understand why there is even a debate regarding this. Adobe’s Roy Fielding is violating peoples rights because Microsoft has chosen to have a security first focus rather than their historical security last focus.

    It is quite obvious that the only thing Adobe’s Roy Fielding is doing is making it easier for his employer, Adobe, to steel peoples private information so that Adobe profit from it.

    Why else would someone break a standard that was implemented to protect people’s privacy. The original intent of the DNT standard was to protect people from being tracked. How that protection is implemented, whether by a user’s express choice to click a check box and enable DNT or whether it is by Microsoft’s default on policy to protect user’s information is irrelevant. What is relevant here is the fact that Adobe’s Roy Fielding has chosen to break that standard and has declared that no one has a right to be protected by default when in reality, the United States Constitution requires that the rights and liberties of the people be protected. And those rights include the right to not be tracked.

    Why is it that people will go all hog wild when the Government violates their Constitutional right against undue search and seizure, yet allow corporations to do just that by tracking them over the internet.

    Some of you really need to think about what is important here. But then again, those of you who do, would sell your mother for a buck.

    Just Saying:

    Bishop
    Scott A. Tovey

  21. Microsoft messed up. Imagine: Everyone who gets a phone is by default on the Do Not Call registry and has to actively register to remove themselves. Or that by default every location is considered “No Tresspassing” and to opt out you need a sign “Tresspassing Okay” or instead of “No Hunting” signs, you have to post “Hunting Okay”. Some people would like this default, but as many have pointed out it defeats the intended purpose.

  22. @Bill

    “Imagine: Everyone who gets a phone is by default on the Do Not Call registry and has to actively register to remove themselves.”

    Yep. You’ve nailed it. This is EXACTLY the way it should be. And for all the same reasons that DNT should be on by default. Just because a whole group of industries are getting fat violating individual privacy without consent, that doesn’t mean it’s their right to do so. Sure it’s not against the law, but only because in the past we never needed laws against it. Society as a whole makes laws and establishes rights, not just the groups making profits by exploiting a moral loophole. Its really not complicated once you filter out the hype.

    And to finish your quote off Bill:

    “Imagine: all the people, living for today. Woo-oo, oo-oo-oo.”

    You may say I’m a dreamer, Bill, but I’m not the only one.

  23. WOW! This is an example of the Lunatics writing the rules as to what constitutes insanity. According to what I understand, Fielding is the Head Lunatic and the rest of you are standing around blowing air up each others skirts with ivory tower rhetoric trying to decide if he is insane or is just attempting to make an emphatic point an it only appears that he is a Lunatic.

    Message to W3C: Roy Fielding is a certifiable lunatic and the DNT definition needs to be rewritten and Mr. Fieldings patch needs to be dumped in the BAD IDEA file.

    There – rather than a endlessly discussing this endlessly copy the above message and send it to the W3C.

Comments are closed.